The shortcomings of the Safe Harbor Framework have come to the attention of some data protection authorities in Europe. In April 2010, the Düsseldorfer Kreis, a working group comprised of the 16 German federal state data protection authorities with authority over the private sector, adopted a resolution applicable to those who export data from Germany to US organizations that self-certified compliance with the Safe Harbor Framework. The resolution tells German data exporters that they must verify whether a self-certified data importer in the US complies with the Safe Harbor requirements.

A German exporter of personal data must now obtain evidence that a Safe-Harbor-self- certification exists and that the Safe Harbor principles are complied with. In addition, an exporter has to obtain evidence showing how the importing company fulfils its Safe Harbor duties to provide notice to the individuals affected by the data processing. A certification more than seven years old is considered invalid. The exporter must also document the assessment and provide proof if requester by a data protection authority. [47]

Essentially, the action by the German state data protection authorities rejects in significant part the Safe Harbor Framework, particularly the self-certification as it appears on the Department of Commerce website. The Düsseldorfer Kreis makes this clear when it states that the reason for its action is because “comprehensive control of US-American companies’ self-certifications by supervisory authorities in Europe and in the US is not guaranteed…” [48]

As a result, German data exporters must act on their own to make sure that a US organization complies with the requirements. The effect is to significantly diminish the utility of the Department of Commerce’s Safe Harbor website the Department’s reporting of Safe Harbor certification. If data exporters must verify compliance with Safe Harbor with the organization claiming to be in compliance, then the Commerce Department’s role in the Safe Harbor process is undermined or eliminated.

In June 2010, Thilo Weichert, the Data Protection and Privacy Commissioner for the German State of Schleswig-Holstein, went further. Noting the findings of the 2008 Study (discussed earlier in this paper) and the lack of any response by the US and the EU thereafter, the Commissioner called for immediate termination of the Safe Harbor agreement. [49] Recognizing a lack of “courage” for termination, the Commissioner alternatively called on the EU to demand from the US short-term positive evidence concerning enforcement of the safe harbor principles.” [50]

The actions in Germany regarding Safe Harbor came despite the first enforcement actions brought by the Federal Trade Commission. The FTC has a principal role in enforcing compliance with the Safe Harbor Framework by those who promised to comply. In October 2009, the Commission obtained consent decrees that prohibited six companies from misrepresenting the extent to which they participate in any privacy, security, or other compliance program sponsored by a government or any third party. There was no penalty imposed on the six companies for their failure to comply and no attempt to determine the consequence of the failure for consumers who were supposedly protected by the misrepresentation. [51] It is not clear why the Commission took action against these six companies after many years of inaction on Safe Harbor noncompliance.

It appears that the long-standing failures of the Department of Commerce to oversee and control participation by US organizations in the Safe Harbor Framework have undermined the credibility and value of the program. [52] It remains to be seen if there will be further rejections of Safe Harbor certifications by other EU national data protection authorities. The substantive and credibility shortcomings of the Safe Harbor Framework have increased the need for reliance on other, more expensive, mechanisms that support the export of data outside the European Union. These mechanisms including contracts and binding corporate rules.

This new WPF report finds that medical identity theft is still a crime that causes great harms to its victims, and that it is growing overall in the United States; however, there’s a catch. The national consumer complaint data suggests that the crime is growing at different rates in different states and regions of the US, creating medical identity theft “hotspots.” These hotspots are important for patients, policymakers, and healthcare stakeholders to know about so as to address potential risks.

WPF has conducted original research on India's Aadhaar, a national biometric ID system, including field research in India during 2010-2014. WPF has published the original research in a peer-reviewed journal, Nature-Springer, and in Harvard-based Journal of Technology Science. The research found that systemic challenges to data protection and privacy exist in the Aadhaar system, challenges which do have potential remedies. Key lessons can be learned for both the US and the EU as biometric systems grow in popularity.